[apparmor] dbus/pair address rule encoding
John Johansen
john.johansen at canonical.com
Fri May 10 16:42:10 UTC 2013
On 05/10/2013 08:24 AM, Jamie Strandboge wrote:
> On 05/10/2013 09:45 AM, Jamie Strandboge wrote:
<< snip >>
>> Another option that retains the spirit of the multi-valued set (note the
>> commas within peer()) is:
>>
>> dbus peer (name=a.peer.address, interface=a.peer.interface) send,
>> net tcp addr=192.168.0.1 peer (addr=10.1.0.0/24, port=443) send,
>>
>> but this is horribly inconsistent within the rule itself when the
>> subject is specified (and no, I don't want commas for the subject). Eg:
>>
>> dbus name=... path=... peer (name=..., interface=...) send,
>>
>>
>
> Well, arguably the most consistent would be tweaking Steve's grouping
> slightly to have a rule like this (my previous "I don't want commas for
> the subject" comment didn't consider subj()):
>
I'll reiterate just in case people missed it buried in my reply to your
other email, the commas in ( ) are optional. In fact the only reason
I included support for them was that the original flags=( ) syntax
used them and I included them for backwards compat. Of course it also
doesn't hurt that it just works when someone is used to writing out
a list with commas
> dbus bus=... subj=(name=..., path=...) peer=(name=..., path=...) send,
>
I could live with this too
> This is exceptionally clear and consistent with other multi-valued sets,
> but is verbose ('subj=(name=...' admittedly looks slightly odd with the
> two '='s in close proximity, but I can live with that).
>
yes the two = in proximity are a little weird
> Still open, but this is my new favorite (let it sink in for a moment and
> I think you may agree :).
>
So I tend to prefer the word being tied to the ( ), but I would be open
to using a different symbol than =
More information about the AppArmor
mailing list